Support ticket system

[UQ13A]

Hi

i have a problem here. What i have is a ticket support system and i am stuck.

Well what i want is to stop people from changing the id to view other tickets eg ticket.php?id=7 to ticket.php?id=1

 

<?php

$username = $_SESSION['username'];
$id = $_GET['id'];

if($_GET['id'] == "$id") {

  	$query = ("SELECT * FROM `Replys` WHERE `ticket` = '$id'");
$result = mysql_query($query);
$numResults = mysql_num_rows($result);					
while($row = mysql_fetch_array($result)) {

$ticketID = $row['ticketID'];
$problem = $row['message'];
$time_replied = $row['time'];
$status = $row['status_code'];
$by = $row['by'];
$submiter = $row['submiter'];

if ($status == 1) {
    $stats = "This ticket is still <font color=00FF00><strong>Open</strong></font>";
} elseif ($status == 2) {
    $stats = "This ticket has been <font color=FF6600><strong>forwarded to the admin</strong></font>";
} elseif ($status == 3) {
    $stats = "This ticket has been <font color=FF0000><strong>closed</strong></font>";
} else {
    $stats = "<font color=FF0000><strong>Error/Deleted</strong></font>";
}
?>
<a href="SupportDesk.php">Return to Support</a><br /><br />
<table width="550" cellpadding="5" cellspacing="0" bordercolor="#FFFFFF">
  <tr>
    <td width="75" bgcolor="#FFFFFF"><div align="center"><i><a href=profile.php?user=<?php echo $by ?> target="_blank"><?php echo $by ?></a></i><br>
            <img src="Images/support/mod.gif" width="50" height="50"><br>
            <i><?php echo $time_replied ?></i></div></td>
    <td width="475" valign="top" bgcolor="#FFFFFF"><div align="left"><font size="2.75" color="black"><?php echo $problem ?><br />
              <br /></font><font size="2.75"><?php echo $stats ?> by <?php echo $by; ?></font></div></td>
  </tr>
</table>
  <br /><br />
<?php
$i++;
}
} else {
print "This is not your ticket!";
}
?>

[teynon]

Only way is to require a login or use POST but they can still manipulate post data

[UQ13A]

Only way is to require a login or use POST but they can still manipulate post data

 

I use sessions i check if the user is loggedin then they are shown this page

 

i also tried this mysql query, but only the person who submitted it could see

 <?php
$query = ("SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'");
?>

[teynon]

You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket.

[UQ13A]

You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket.

 

How would i go about doin that?

[mrMarcus]

you want to prevent them from viewing other people's tickets, or just their own?

 

and this line does nothing:

 

$id = $_GET['id'];

if($_GET['id'] == "$id") { //the same as checking if 1=1, or elephant=elephant, or false=false, etc;

[UQ13A]

you want to prevent them from viewing other people's tickets, or just their own?

 

and this line does nothing:

 

$id = $_GET['id'];

if($_GET['id'] == "$id") { //the same as checking if 1=1, or elephant=elephant, or false=false, etc;

 

i want to prevent them from viewing other people's tickets

[UQ13A]

[Eiolon]

Just create a permissions table and have one of the options be if they are allowed to view other peoples tickets, it be a 1 if not, then a 0.  Go into the ticket.php file and throw in some php to validate if they have permission or not based on the permissions table.

[UQ13A]

Just create a permissions table and have one of the options be if they are allowed to view other peoples tickets, it be a 1 if not, then a 0.  Go into the ticket.php file and throw in some php to validate if they have permission or not based on the permissions table.

 

i sort of get what you mean about the permissions

[mrMarcus]

what was wrong with your query?

 

$query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

this is the track you must take.  it's how you allow certain users to view certain content.

 

you said, "but only the person who submitted it could see" .. isn't that the point?

[UQ13A]

what was wrong with your query?

 

$query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

this is the track you must take.  it's how you allow certain users to view certain content.

 

you said, "but only the person who submitted it could see" .. isn't that the point?

 

Yes but i want moderators and only moderators to look at the tickets and answer them

its a help desk/support system

[mrMarcus]

what was wrong with your query?

 

$query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

this is the track you must take.  it's how you allow certain users to view certain content.

 

you said, "but only the person who submitted it could see" .. isn't that the point?

 

Yes but i want moderators and only moderators to look at the tickets and answer them

its a help desk/support system

 

i understand what it is as your title says it all.  however, it's just now that you are starting to shed some more light on the usage of this system.  why is that?  the more people have to guess, the longer it will take for you to be helped. 

 

to clarify your issue.  you want only moderators and the respective user to be able to view a certain ticket.

 

for example, John creates a ticket.  the ticket is #347.  now you want only John AND any moderator to be able to view ticket #347, correct?

 

simple, create a permissions table to moderators with an option being whether they can view tickets or not (`view_tickets` = 1 or 0 in db permissions table), and follow the same condition within the sql query as you already have, except now you'll add the permissions to the mix.

[teynon]

I keep having to quote myself...

 

You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket.

The user has to be an administrator or the person who created the ticket.

 

You obviously already have some way of distinguishing a moderator from a user. I think you should be able to figure out the logic here, but everyone always wants me to do it for them. (No I wont do it for you, unless you pay me.)

[UQ13A]

I keep having to quote myself...

 

You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket.

The user has to be an administrator or the person who created the ticket.

 

You obviously already have some way of distinguishing a moderator from a user. I think you should be able to figure out the logic here, but everyone always wants me to do it for them. (No I wont do it for you, unless you pay me.)

 

Pay you, would a packet of Skittles do

i use this

if ($user[user_level]>="2") {

were 2 is moderators level

[teynon]

Ok, so combine the two statements.

 

$sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

if ((@mysql_num_rows(@mysql_query($sql)) > 0) && ($user[user_level]>="2")) {

[UQ13A]

Ok, so combine the two statements.

 

$sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

if ((@mysql_num_rows(@mysql_query($sql)) > 0) && ($user[user_level]>="2")) {

 

I'll take a look tomarrow thanks

[teynon]

Oops, use OR:

if ((@mysql_num_rows(@mysql_query($sql)) > 0) || ($user[user_level]>="2")) {

[UQ13A]

Oops, use OR:

if ((@mysql_num_rows(@mysql_query($sql)) > 0) || ($user[user_level]>="2")) {

 

Thanks i replaced the query with this. It all works now.

Except this;

Moderators are only shown the reply box and not the information about the ticket.

i have attached to picture's below

 

[attachment deleted by admin]

[UQ13A]

[mrMarcus]

show your revised code.

[UQ13A]

show your revised code.

 

Here it is

<?php
$username = $_SESSION['username'];
$id = $_GET['view'];

if (isset($_GET['view'])) {

$level = "SELECT * FROM `users` WHERE name = '$username'" or die(mysql_error());
$get = mysql_query($level) or die(mysql_error());
$user = mysql_fetch_array($get);

$sql = "SELECT * FROM `Replys` WHERE `ticketID` = '$id' AND `submiter` = '$username'";
if ((@mysql_num_rows(@mysql_query($sql)) > 0) || ($user[user_level]>="2")) {

$result = mysql_query($sql);

print "<a href=\"Support.php\">Return to Support</a><br /><br />";				

while($row = mysql_fetch_array($result)) {

$ticketID = $row['ticketID'];
$problem = $row['message'];
$time_replied = $row['time'];
$status = $row['status_code'];
$by = $row['by'];
$submiter = $row['submiter'];

if ($status == 1) {
    $stats = "This ticket is still <font color=\"00FF00\"><strong>Open</strong></font>";
} elseif ($status == 2) {
    $stats = "This ticket has been <font color=\"FF6600\"><strong>forwarded to the admin</strong></font>";
} elseif ($status == 3) {
    $stats = "This ticket has been <font color=\"FF0000\"><strong>closed</strong></font>";
} else {
    $stats = "<font color=\"FF0000\"><strong>Error/Deleted</strong></font>";
}
?>
<br />
<table width="550" cellpadding="5" cellspacing="0" bordercolor="#FFFFFF">
  <tr>
    <td width="75" bgcolor="#FFFFFF"><div align="center"><i><a href=../loggedin54782/profile.php?user=<?php echo $by ?> target="_blank"><?php echo $by ?></a></i><br>
            <img src="Images/support/mod.gif" width="50" height="50"><br>
            <i><?php echo $time_replied ?></i></div></td>
    <td width="475" valign="top" bgcolor="#FFFFFF"><div align="left"><font size="2.75" color="black"><?php echo $problem ?><br />
              <br /></font><font size="2.75"><?php echo $stats ?> by <?php echo $by; ?></font></div></td>
  </tr>
</table><br /><br />
<?php
$i++;
}
?>
  Add reply form below<br />
<form action="" method="post" name="addreply" id="addreply">
  <br />
  Reply below... Before forwarding to the admin(s) please ask the user for<br />
  more information regarding their ticket!<br />
<textarea name="message" id="message" cols="60" rows="5"></textarea>
<br /><br />
  <input type="submit" name="Close" id="Close" value="Reply + Close" />
  <input type="submit" name="Forward" id="Forward" value="Reply + Forward" />
  <input type="submit" name="Add-Reply" id="Add-Reply" value="Add Reply" />
</form>
<?php
}
} else {
print "This is not your ticket!";
}
?>

</body>
</html>

[mrMarcus]

the query holding the message is not returning results as the moderators username is not attached to the user's ticket.

 

$sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

`submitter` does NOT equal 'moderator'.

[UQ13A]

the query holding the message is not returning results as the moderators username is not attached to the user's ticket.

 

$sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

`submitter` does NOT equal 'moderator'.

 

I have removed

.... `submitter` = '$username'

it works but

like before all users can view the ticket information :S

even if it is not your ticket you can still view it by changing tickets.php?view=(any ticket number here)

 

and thats what i want to stop others doing

[mrMarcus]

the query holding the message is not returning results as the moderators username is not attached to the user's ticket.

 

$sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

`submitter` does NOT equal 'moderator'.

 

I have removed

.... `submitter` = '$username'

it works but

like before all users can view the ticket information :S

even if it is not your ticket you can still view it by changing tickets.php?view=(any ticket number here)

 

and thats what i want to stop others doing

 

i know.

 

i was just letting you know that that's why your mod's weren't getting the desired information.

 

now you need to work it out where the mod's have global access to the users table.